import setroubleshoot-3.3.26-6.el8

9 months ago · b0f56ab3de
commit b0f56ab3de
14 changed files with 42502 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/setroubleshoot-3.3.26.tar.gz
--- a/.setroubleshoot.metadata
+++ b/.setroubleshoot.metadata
@ -0,0 +1 @@
+dab49dd85f3d8489fef60d2b94c4931cc9c473ea SOURCES/setroubleshoot-3.3.26.tar.gz
--- a/SOURCES/0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
+++ b/SOURCES/0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
@ -0,0 +1,45 @@
+From 78840f4e0bd41d3ba1b3c90b909e6c2cf7ef4ea7 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 14 Apr 2021 17:03:39 +0200
+Subject: [PATCH] Stop SetroubleshootFixit after 10 seconds of inactivity
+
+---
+ src/SetroubleshootFixit.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
+index 15c6cab..f7cbf95 100644
+--- a/framework/src/SetroubleshootFixit.py
+++ b/framework/src/SetroubleshootFixit.py
+@@ -7,6 +7,7 @@ from gi.repository import GLib
+ import slip.dbus.service
+ from slip.dbus import polkit
+ import os
+import signal
+ 
+ 
+ class RunFix(slip.dbus.service.Object):
+@@ -14,12 +15,20 @@ class RunFix(slip.dbus.service.Object):
+ 
+     def __init__(self, *p, **k):
+         super(RunFix, self).__init__(*p, **k)
+        self.timeout = 10
+        self.alarm(self.timeout)
+
+    def alarm(self, timeout=10):
+        signal.alarm(timeout)
+
+ 
+     @dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
+     def run_fix(self, local_id, analysis_id):
+         import subprocess
+        self.alarm(0)
+         command = ["sealert", "-f", local_id, "-P", analysis_id]
+         return subprocess.check_output(command, universal_newlines=True)
+        self.alarm(self.timeout)
+ 
+ if __name__ == "__main__":
+     mainloop = GLib.MainLoop()
+-- 
+2.30.2
+
--- a/SOURCES/0002-Do-not-use-Python-slip-package.patch
+++ b/SOURCES/0002-Do-not-use-Python-slip-package.patch
@ -0,0 +1,103 @@
+From e9def2b8b0098842d0223d0951f41e2106821a88 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 14 Apr 2021 17:04:59 +0200
+Subject: [PATCH] Do not use Python slip package
+
+It's not maintained anymore and it allows us to drop dependency on
+Python slip package
+
+Use DBUS polkit interface instead -
+https://www.freedesktop.org/software/polkit/docs/latest/eggdbus-interface-org.freedesktop.PolicyKit1.Authority.html
+---
+ src/SetroubleshootFixit.py    | 35 +++++++++++++++++++++++++----------
+ src/setroubleshoot/browser.py |  3 ---
+ 2 files changed, 25 insertions(+), 13 deletions(-)
+
+diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
+index f7cbf95..ab0ad2b 100644
+--- a/framework/src/SetroubleshootFixit.py
+++ b/framework/src/SetroubleshootFixit.py
+@@ -4,13 +4,11 @@ import dbus
+ import dbus.service
+ import dbus.mainloop.glib
+ from gi.repository import GLib
+-import slip.dbus.service
+-from slip.dbus import polkit
+ import os
+ import signal
+import subprocess
+ 
+-
+-class RunFix(slip.dbus.service.Object):
+class RunFix(dbus.service.Object):
+     default_polkit_auth_required = "org.fedoraproject.setroubleshootfixit.write"
+ 
+     def __init__(self, *p, **k):
+@@ -21,14 +19,32 @@ class RunFix(slip.dbus.service.Object):
+     def alarm(self, timeout=10):
+         signal.alarm(timeout)
+ 
+-
+-    @dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
+-    def run_fix(self, local_id, analysis_id):
+-        import subprocess
+    def is_authorized(self, sender):
+        bus = dbus.SystemBus()
+
+        proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+        authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+        subject = ('system-bus-name', {'name' : sender})
+        action_id = 'org.fedoraproject.setroubleshootfixit.write'
+        details = {}
+        flags = 1            # AllowUserInteraction flag
+        cancellation_id = '' # No cancellation id
+        result = authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)
+        return result[0]
+
+    @dbus.service.method("org.fedoraproject.SetroubleshootFixit", sender_keyword="sender", in_signature='ss', out_signature='s')
+    def run_fix(self, local_id, analysis_id, sender):
+         self.alarm(0)
+         command = ["sealert", "-f", local_id, "-P", analysis_id]
+-        return subprocess.check_output(command, universal_newlines=True)
+
+        if self.is_authorized(sender):
+            result = subprocess.check_output(command, universal_newlines=True)
+        else:
+            result = "Authorization failed"
+
+         self.alarm(self.timeout)
+        return result
+
+ 
+ if __name__ == "__main__":
+     mainloop = GLib.MainLoop()
+@@ -36,5 +52,4 @@ if __name__ == "__main__":
+     system_bus = dbus.SystemBus()
+     name = dbus.service.BusName("org.fedoraproject.SetroubleshootFixit", system_bus)
+     object = RunFix(system_bus, "/org/fedoraproject/SetroubleshootFixit/object")
+-    slip.dbus.service.set_mainloop(mainloop)
+     mainloop.run()
+diff --git a/framework/src/setroubleshoot/browser.py b/framework/src/setroubleshoot/browser.py
+index 2d37bb4..3203f75 100644
+--- a/framework/src/setroubleshoot/browser.py
+++ b/framework/src/setroubleshoot/browser.py
+@@ -65,8 +65,6 @@ from setroubleshoot.util import *
+ from setroubleshoot.html_util import html_to_text
+ import re
+ import dbus
+-import slip.dbus.service
+-from slip.dbus import polkit
+ import report
+ import report.io
+ import report.io.GTKIO
+@@ -933,7 +931,6 @@ class DBusProxy (object):
+         self.bus = dbus.SystemBus()
+         self.dbus_object = self.bus.get_object("org.fedoraproject.SetroubleshootFixit", "/org/fedoraproject/SetroubleshootFixit/object")
+ 
+-    @polkit.enable_proxy
+     def run_fix(self, local_id, plugin_name):
+         return self.dbus_object.run_fix(local_id, plugin_name, dbus_interface="org.fedoraproject.SetroubleshootFixit")
+ 
+-- 
+2.30.2
+
--- a/SOURCES/0003-Fix-typos-in-help-man-pages-and-developer-s-guide.patch
+++ b/SOURCES/0003-Fix-typos-in-help-man-pages-and-developer-s-guide.patch
@ -0,0 +1,82 @@
+From f6a21742b2531f5dfd0fa68400848ca4314f972f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 6 Dec 2021 12:14:04 +0100
+Subject: [PATCH] Fix typos in --help, man pages and developer's guide
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ TODO                         | 2 +-
+ doc/sealert.8                | 2 +-
+ src/config.py.in             | 2 +-
+ src/sealert                  | 2 +-
+ src/setroubleshoot/server.py | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/framework/TODO b/framework/TODO
+index 6c2f375..25072ea 100644
+--- a/framework/TODO
+++ b/framework/TODO
+@@ -22,7 +22,7 @@ return plain text (to be used for plaintext email and writing to
+ stdout).
+ 
+ (John) Add log file scanning support (I'm currently working on this).
+-We could use a better parser for AVC's in log file or other "stream",
+We could use a better parser for AVCs in log file or other "stream",
+ should work by accepting data via a feed() method and invoke a
+ callback when it finds an AVC returning an AVC class and a range
+ (start,end) where it was located (question: should the range be line
+diff --git a/framework/doc/sealert.8 b/framework/doc/sealert.8
+index 89f4dff..d3e81e3 100644
+--- a/framework/doc/sealert.8
+++ b/framework/doc/sealert.8
+@@ -102,7 +102,7 @@ Start sealert without dbus service as stand alone app
+ Lookup alert by id, if id is wildcard * then return all alerts
+ .TP 
+ .B \-a \-\-analyze file   
+-Scan a log file, analyze its AVC's
+Scan a log file, analyze its AVCs
+ .TP 
+ .B \-u \-\-user        
+ logon as user
+diff --git a/framework/src/config.py.in b/framework/src/config.py.in
+index cbb0542..daf9a68 100644
+--- a/framework/src/config.py.in
+++ b/framework/src/config.py.in
+@@ -184,7 +184,7 @@ the alert's last seen date will be purged first. Zero implies no limit''',
+         'max_alert_age': {
+             'value': '',
+             'description' : '''
+-Purge any alerts whose age based on it's last seen date exceeds this threshold.
+Purge any alerts whose age based on its last seen date exceeds this threshold.
+ Age may be specified as a sequence of integer unit pairs. Units may be one of
+ year,month,week,day,hour,minute,second and may optionally be plural.
+ Example: '2 weeks 1 day' sets the threshold at 15 days.
+diff --git a/framework/src/sealert b/framework/src/sealert
+index bae0c81..2663a21 100755
+--- a/framework/src/sealert
+++ b/framework/src/sealert
+@@ -598,7 +598,7 @@ if __name__ == '__main__':
+         parser.add_option("-l", "--lookupid", dest="lookupid", default=False,
+                           help="Lookup alert by id, id may be wildcard * to lookup all alerts")
+         parser.add_option("-a", "--analyze", dest="analyze", default=False,
+-                          help="Scan a log file, analyze it's AVC's", metavar="FILE")
+                          help="Scan a log file, analyze its AVCs", metavar="FILE")
+         parser.add_option("-u", "--user", dest="user", default=False,
+                           help="logon user name")
+         parser.add_option("-p", "--password", dest="password", default=False,
+diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
+index aef0346..771ea15 100755
+--- a/framework/src/setroubleshoot/server.py
+++ b/framework/src/setroubleshoot/server.py
+@@ -764,7 +764,7 @@ def RunFaultServer(timeout=10):
+     try:
+         # FIXME: should this be using our logging objects in log.py?
+         # currently syslog is only used for putting an alert into
+-        # the syslog with it's id
+        # the syslog with its id
+ 
+         global pkg_name
+         syslog.openlog(pkg_name)
+-- 
+2.30.2
+
--- a/SOURCES/0004-Revert-Replace-pydbus-with-dasbus.patch
+++ b/SOURCES/0004-Revert-Replace-pydbus-with-dasbus.patch
@ -0,0 +1,174 @@
+From e0cf9f2e50e8da856ffd511cbbab7ee36a31bb74 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 10 Dec 2021 15:04:21 +0100
+Subject: [PATCH] Revert "Replace pydbus with dasbus"
+
+dasbus is not available in rhel8.
+
+This reverts commit 5290ca0ee06d69102bf2b756e2decc0f8c5b770f.
+---
+ configure.ac                    |  6 +++---
+ src/SetroubleshootPrivileged.py | 32 ++++++++++++++------------------
+ src/seapplet                    | 21 +++++++++++++--------
+ src/setroubleshoot/util.py      |  9 +++------
+ 4 files changed, 33 insertions(+), 35 deletions(-)
+
+diff --git a/framework/configure.ac b/framework/configure.ac
+index d1d0176..e3b7b5a 100644
+--- a/framework/configure.ac
+++ b/framework/configure.ac
+@@ -65,13 +65,13 @@ else
+                    $python_module_result])
+ fi
+ 
+-AC_MSG_CHECKING([for the dasbus python3 module])
+-python_module_result=`$PYTHON -c "import dasbus" 2>&1`
+AC_MSG_CHECKING([for the pydbus python3 module])
+python_module_result=`$PYTHON -c "import pydbus" 2>&1`
+ if test -z "$python_module_result"; then
+ 	AC_MSG_RESULT([yes])
+ else
+ 	AC_MSG_RESULT([no])
+-	AC_MSG_ERROR([cannot import Python3 module dasbus.
+	AC_MSG_ERROR([cannot import Python3 module pydbus.
+                    Please check your Python3 installation. The error was:
+                    $python_module_result])
+ fi
+diff --git a/framework/src/SetroubleshootPrivileged.py b/framework/src/SetroubleshootPrivileged.py
+index d2a9ea4..899e687 100644
+--- a/framework/src/SetroubleshootPrivileged.py
+++ b/framework/src/SetroubleshootPrivileged.py
+@@ -19,23 +19,23 @@
+ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ 
+ from gi.repository import GLib
+-from dasbus.connection import SystemMessageBus
+from pydbus import SystemBus
+ import setroubleshoot.util
+ import signal
+ 
+ loop = GLib.MainLoop()
+ 
+ class Privileged(object):
+-    __dbus_xml__ = """
+-    <node>
+-        <interface name='org.fedoraproject.SetroubleshootPrivileged'>
+-            <method name='get_rpm_nvr_by_scontext'>
+-                <arg type='s' name='scontext' direction='in'/>
+-                <arg type='s' name='rpmnvr' direction='out'/>
+-            </method>
+-            <method name='finish'/>
+-        </interface>
+-    </node>
+    """
+		<node>
+			<interface name='org.fedoraproject.SetroubleshootPrivileged'>
+				<method name='get_rpm_nvr_by_scontext'>
+					<arg type='s' name='scontext' direction='in'/>
+    				<arg type='s' name='rpmnvr' direction='out'/>
+				</method>
+				<method name='finish'/>
+			</interface>
+		</node>
+     """
+ 
+     def __init__(self, timeout=10):
+@@ -58,10 +58,6 @@ class Privileged(object):
+         loop.quit()
+ 
+ if __name__ == "__main__":
+-    bus = SystemMessageBus()
+-    try:
+-        bus.publish_object("/org/fedoraproject/SetroubleshootPrivileged", Privileged())
+-        bus.register_service("org.fedoraproject.SetroubleshootPrivileged")
+-        loop.run()
+-    finally:
+-        bus.disconnect()
+    bus = SystemBus()
+    bus.publish("org.fedoraproject.SetroubleshootPrivileged", Privileged())
+    loop.run()
+diff --git a/framework/src/seapplet b/framework/src/seapplet
+index b5f65d1..79b5ef2 100644
+--- a/framework/src/seapplet
+++ b/framework/src/seapplet
+@@ -26,7 +26,7 @@ from gi.repository import Gtk
+ gi.require_version('Notify', '0.7')
+ from gi.repository import Notify
+ 
+-from dasbus.connection import SystemMessageBus
+from pydbus import SystemBus
+ 
+ import selinux
+ import sys
+@@ -52,14 +52,13 @@ class SEApplet(GObject.Object):
+ 
+     def __init__(self):
+ 
+-        bus = SystemMessageBus()
+-        Setroubleshootd = bus.get_proxy(
+-            'org.fedoraproject.Setroubleshootd',
+-            '/org/fedoraproject/Setroubleshootd'
+        bus = SystemBus()
+        self.bus_signal = bus.subscribe(
+            iface='org.fedoraproject.SetroubleshootdIface',
+            signal='alert',
+            signal_fired=self.send_notification
+         )
+ 
+-        Setroubleshootd.alert.connect(self.send_notification)
+-
+         super(SEApplet, self).__init__()
+         Notify.init("seapplet")
+         # lets initialise with the application name
+@@ -81,6 +80,11 @@ class SEApplet(GObject.Object):
+         except:
+             pass
+ 
+        Setroubleshootd = bus.get(
+            'org.fedoraproject.Setroubleshootd',
+            '/org/fedoraproject/Setroubleshootd'
+        )
+
+         (count, red) = Setroubleshootd.check_for_new(last_id)
+ 
+         if count > 0:
+@@ -115,7 +119,8 @@ class SEApplet(GObject.Object):
+         launcher.launch(None, context)
+         self.status_icon.set_visible(False)
+ 
+-    def send_notification(self, *params):
+    def send_notification(self, sender, dobject, iface, signal, params):
+
+         status_icon = self.__init_status_icon()
+         status_icon.set_visible(True)
+ 
+diff --git a/framework/src/setroubleshoot/util.py b/framework/src/setroubleshoot/util.py
+index 02c4f75..657c882 100755
+--- a/framework/src/setroubleshoot/util.py
+++ b/framework/src/setroubleshoot/util.py
+@@ -69,7 +69,7 @@ __all__ = [
+ import bz2
+ import six
+ import datetime
+-from dasbus.connection import SystemMessageBus
+from pydbus import SystemBus
+ import glob
+ from gi.repository import GObject
+ import os
+@@ -522,11 +522,8 @@ Finds an SELinux module which defines given SELinux context
+ 
+     """
+     if use_dbus:
+-        bus = SystemMessageBus()
+-        remote_object = bus.get_proxy(
+-            "org.fedoraproject.SetroubleshootPrivileged",
+-            "/org/fedoraproject/SetroubleshootPrivileged"
+-        )
+        bus = SystemBus()
+        remote_object = bus.get("org.fedoraproject.SetroubleshootPrivileged")
+         return str(remote_object.get_rpm_nvr_by_scontext(str(scontext)))
+     else:
+         context = selinux.context_new(str(scontext))
+-- 
+2.30.2
+
--- a/SOURCES/0005-Improve-after_first-email-filter-behavior.patch
+++ b/SOURCES/0005-Improve-after_first-email-filter-behavior.patch
@ -0,0 +1,40 @@
+From 73d60acf9d4d7ae740d450f9c9a9566dac1c3111 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 3 Feb 2022 18:14:05 +0100
+Subject: [PATCH] Improve after_first email filter behavior
+
+after_first used to send 2 emails before it started to filter. The
+problem was in the email users were not saved into database when a new
+signature was created.
+
+Also we need to skip email users when we evaluated whether send a
+desktop notification or not.
+---
+ src/setroubleshoot/server.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
+index 771ea15..10ef215 100755
+--- a/framework/src/setroubleshoot/server.py
+++ b/framework/src/setroubleshoot/server.py
+@@ -220,6 +220,7 @@ class AlertPluginReportReceiver(PluginReportReceiver):
+             if len(to_addrs):
+                 from setroubleshoot.email_alert import email_alert
+                 email_alert(siginfo, to_addrs)
+            self.database.mark_modified()
+ 
+         log_debug("sending alert to all clients")
+ 
+@@ -234,6 +235,9 @@ class AlertPluginReportReceiver(PluginReportReceiver):
+             systemd.journal.send(siginfo.format_text(), OBJECT_PID=pid, SYSLOG_IDENTIFIER=pkg_name)
+ 
+         for u in siginfo.users:
+            if u.username[0:6] == "email:":
+                # skip email users - they were evaluated before
+                continue
+             action = siginfo.evaluate_filter_for_user(u.username)
+             if action == "ignore":
+                 return siginfo
+-- 
+2.30.2
+
--- a/SOURCES/0006-Update-translations.patch
+++ b/SOURCES/0006-Update-translations.patch
--- a/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
+++ b/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
@ -0,0 +1,70 @@
+From a2102cb35cd45852fc508b2f62400be098050d7a Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 4 Jul 2022 16:20:30 +0200
+Subject: [PATCH] Decrease setroubleshootd priority and limit RAM utilization
+ to 1GB
+
+This should help with system responsiveness in case of large amount of
+AVCs. The memory limit ensures the process cannot indefinitely hog
+memory in case it is running continuously. My testing showed normal
+memory consumption not to exceed 350MB, so 1GB should not limit normal
+operation.
+
+Note: Limiting memory using systemd service file was chosen to make it easier
+for users to adjust the limits.
+
+Related:
+https://bugzilla.redhat.com/show_bug.cgi?id=2064727
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ Makefile.am                               |  3 +++
+ org.fedoraproject.Setroubleshootd.service |  3 ++-
+ setroubleshootd.service                   | 10 ++++++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 setroubleshootd.service
+
+diff --git a/framework/Makefile.am b/framework/Makefile.am
+index f330b7c..93c6a06 100644
+--- a/framework/Makefile.am
+++ b/framework/Makefile.am
+@@ -28,6 +28,9 @@ polkit_systemdir = $(datadir)/polkit-1/actions
+ polkit_system_DATA = \
+ 			org.fedoraproject.setroubleshootfixit.policy
+ 
+systemd_systemunitdir = $(prefix)/lib/systemd/system/
+systemd_systemunit_DATA = setroubleshootd.service
+
+ autostartdir = $(sysconfdir)/xdg/autostart
+ autostart_DATA = sealertauto.desktop
+ 
+diff --git a/framework/org.fedoraproject.Setroubleshootd.service b/framework/org.fedoraproject.Setroubleshootd.service
+index 05c2c39..2c52499 100644
+--- a/framework/org.fedoraproject.Setroubleshootd.service
+++ b/framework/org.fedoraproject.Setroubleshootd.service
+@@ -1,4 +1,5 @@
+ [D-BUS Service]
+ Name=org.fedoraproject.Setroubleshootd
+-Exec=/usr/sbin/setroubleshootd -f 
+SystemdService=setroubleshootd.service
+Exec=/bin/false
+ User=setroubleshoot
+diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
+new file mode 100644
+index 0000000..81c75b1
+--- /dev/null
+++ b/framework/setroubleshootd.service
+@@ -0,0 +1,10 @@
+[Unit]
+Description=SETroubleshoot daemon for processing new SELinux denial logs
+
+[Service]
+Type=dbus
+BusName=org.fedoraproject.Setroubleshootd
+ExecStart=/usr/sbin/setroubleshootd -f
+User=setroubleshoot
+LimitAS=1G
+Nice=5
+-- 
+2.35.3
+
--- a/SOURCES/0008-doc-Document-performance-related-changes.patch
+++ b/SOURCES/0008-doc-Document-performance-related-changes.patch
@ -0,0 +1,45 @@
+From eed06d0f11867c1019fee4fb1a80be775a60d74e Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 11 Jul 2022 18:20:47 +0200
+Subject: [PATCH] doc: Document performance related changes
+
+- Setroubleshootd is now executed using setroubleshootd.service
+- ^^ is limited to 1GB of RAM and has a lower than normal priority
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ doc/setroubleshootd.8 | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/framework/doc/setroubleshootd.8 b/framework/doc/setroubleshootd.8
+index bed6713..f1f04d8 100644
+--- a/framework/doc/setroubleshootd.8
+++ b/framework/doc/setroubleshootd.8
+@@ -23,9 +23,14 @@ components, sealert and setroubleshootd.
+ setroubleshootd is a system daemon which runs under setroubleshoot user and
+ listens for audit events emitted from the kernel related to SELinux. When the
+ setroubleshootd daemon sees an SELinux AVC denial it runs a series of analysis
+-plugins which examines the audit data related to the AVC. It records the
+plugins which examine the audit data related to the AVC. It records the
+ results of the analysis and signals any clients which have attached to the
+ setroubleshootd daemon that a new alert has been seen.
+.P
+setroubleshootd is not persistent and only runs when there are new AVCs to be
+analyzed. It is executed using setroubleshootd.service, which also limits its
+priority and maximum RAM utilization to 1GB, in order to help with system
+responsiveness in case of large amounts of AVCs.
+ 
+ .SH "OPTIONS"
+ .TP 
+@@ -33,7 +38,7 @@ setroubleshootd daemon that a new alert has been seen.
+ Do not fork the daemon
+ .TP 
+ .B \-d \-\-debug
+-Do not exit after 10 seconds
+Do not exit after 10 seconds of inactivity
+ .TP 
+ .B \-h \-\-help           
+ Show this message
+-- 
+2.35.3
+
--- a/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
+++ b/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
@ -0,0 +1,56 @@
+From 2fbc58c26359989894dfb54daaca2ff4b537f4fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 22 Apr 2022 16:27:30 +0200
+Subject: [PATCH] setroubleshoot/server: shutdown RunFaultServer nicely
+
+    systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Main process exited, code=killed, status=14/ALRM
+    systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Failed with result 'signal'.
+    audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
+---
+ src/setroubleshoot/server.py | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
+index 10ef215..8f16993 100755
+--- a/framework/src/setroubleshoot/server.py
+++ b/framework/src/setroubleshoot/server.py
+@@ -733,9 +733,17 @@ def goodbye(database):
+     audit2why.finish()
+ 
+ 
+main_loop = GLib.MainLoop()
+
+
+def alarm_handler(signum, frame):
+    log_debug("SIGALRM raised in RunFaultServer")
+    main_loop.quit()
+
+
+ def RunFaultServer(timeout=10):
+     signal.alarm(timeout)
+-    sigalrm_handler = signal.signal(signal.SIGALRM, polling_failed_handler)
+    signal.signal(signal.SIGALRM, polling_failed_handler)
+     # polling for /sys/fs/selinux/policy file
+     while True:
+         try:
+@@ -760,7 +768,7 @@ def RunFaultServer(timeout=10):
+ 
+     global host_database, analysis_queue, email_recipients
+ 
+-    signal.signal(signal.SIGALRM, sigalrm_handler)
+    signal.signal(signal.SIGALRM, alarm_handler)
+     signal.signal(signal.SIGHUP, sighandler)
+ 
+     #interface_registry.dump_interfaces()
+@@ -856,7 +864,7 @@ def RunFaultServer(timeout=10):
+ 
+         dbus.glib.init_threads()
+         setroubleshootd_dbus = SetroubleshootdDBus(analysis_queue, alert_receiver, timeout)
+-        main_loop = GLib.MainLoop()
+
+         main_loop.run()
+ 
+     except KeyboardInterrupt as e:
+-- 
+2.35.3
+
--- a/SOURCES/0010-Check-that-SELinux-is-enabled-before-running.patch
+++ b/SOURCES/0010-Check-that-SELinux-is-enabled-before-running.patch
@ -0,0 +1,48 @@
+From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 24 Aug 2023 19:02:24 +0200
+Subject: [PATCH] Check that SELinux is enabled before running
+
+Setroubleshootd will fail to run when selinux is disabled. Check that
+SELinux is enabled in setroubleshootd service file and in sealert (so
+that it does not wait for setroubleshootd to start).
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ setroubleshootd.service | 1 +
+ src/sealert             | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
+index 81c75b1..7fc2ffb 100644
+--- a/framework/setroubleshootd.service
+++ b/framework/setroubleshootd.service
+@@ -1,5 +1,6 @@
+ [Unit]
+ Description=SETroubleshoot daemon for processing new SELinux denial logs
+ConditionSecurity=selinux
+ 
+ [Service]
+ Type=dbus
+diff --git a/framework/src/sealert b/framework/src/sealert
+index 2663a21..5ce6463 100755
+--- a/framework/src/sealert
+++ b/framework/src/sealert
+@@ -576,6 +576,12 @@ if __name__ == '__main__':
+     setup_sighandlers()
+     log_debug("main() args=%s" % sys.argv)
+ 
+    # Exit if selinux is disabled - setroubleshootd cannot start
+    if not selinux.is_selinux_enabled():
+        log_debug("SELinux not enabled, sealert will not run on non SELinux systems")
+        print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr)
+        sys.exit(3)
+
+     def validate_invocation_style(opt, opts_instance, conflict_opts):
+         global invocation_style
+         conflict_opts.remove(opt)
+-- 
+2.41.0
+
--- a/SOURCES/setroubleshoot.tmpfiles
+++ b/SOURCES/setroubleshoot.tmpfiles
@ -0,0 +1 @@
+d /run/setroubleshoot 711 setroubleshoot setroubleshoot -
--- a/SPECS/setroubleshoot.spec
+++ b/SPECS/setroubleshoot.spec
				`@ -0,0 +1 @@`
				`dab49dd85f3d8489fef60d2b94c4931cc9c473ea SOURCES/setroubleshoot-3.3.26.tar.gz`
				`@ -0,0 +1 @@`
				`d /run/setroubleshoot 711 setroubleshoot setroubleshoot -`